Building network automation solutions

6 week online course

Once you’ve spent a few hours trying to understand the implications of IPv6, you quickly realize that the only significant change is the increase in the address length. All the other goals that some people had been talking about were either forgotten or failed due to huge mismatch between idealistic view of the Internet IPv6 developers had 15 years ago and today’s reality. However, you still find mythical properties of IPv6 propagated across the Internet. Here are a few I’ve found; add your favorites in the comments.

Numerous IPv6 topics are covered in my Enterprise IPv6 Deployment workshop. You can attend an online version of the workshop or we can organize a dedicated event for your team.

IPv6 provides service/location separation. Total nonsense. The only mechanism used to find services is still DNS and it’s still used from the wrong position in the protocol stack.

IPv6 will reduce IP routing tables. Not true. IETF had 15 years to solve multihoming issues, but failed to do so. SHIM, SCTP ... are still in a very experimental stage. If anything, the situation will only get worse, as everyone will try to get PI address space.

IPv6 will reduce BGP problems. Just the opposite. Not only will the size of the IPv6 global routing table increase, IPv6 BGP tables use more space (and more bandwidth) than the corresponding IPv4 BGP tables.

IPv6 has better quality of service.Total nonsense; the only widespread QoS mechanism is DiffServ that uses DSCP.

IPv6 has better security. Not true. IPSec might be better integrated in IPv6 headers, but there’s nothing you can do with IPv6 IPSec that you cannot do with IPv4 IPSec.

Residential IPv6 is less secure because it does not require NAT. Anyone who thinks NAT is a security feature deserves to become part of a botnet.

Related posts by categories

23 comments:

with no security config on the CPE (no port forwarding, no ACL, no FW, ...), it is easier to scan a public ipv6 address than a private ipv4 address (from the outside). therefore, NAT is more secure :) you can add me to your botnet now :)

I'm trying to come up with an argument against a firewall by default. That breaks the end to end model, and would make deploying new applications almost as hard with IPv6 as it is with IPv4.

Modern hosts have grown up in the jungle, and my laptop I take around with me anywhere. Certainly to unprotected networks. What value does that firewall give me anyway? Most of the 'security' issues in the home aren't things which are caught by a firewall anyway.

If you are concerned about simpler devices like printers and sensors; one could give them only a ULA address and virtually keep them off the big bad Internet.

i don't think the way we learn the ipv6 address of the host matters... it could be via bittorrent, webserver logs, whatever... your discussion is about ipv6 vs ipv4, not about browser vulns vs os/apps vulns, right?

"Anyone who thinks NAT is a security feature deserves to become part of a botnet."

I love it!

For those who aren't getting it: NAT by itself does not provide security. Dynamic NAT (aka PAT, aka overloaded NAT, aka multiplexing multiple conversations onto a single layer 3 address using layer 4 port translations) provides some degree of security because it has the side effect of creating state. You will need to run a simple stateful firewall in front of IPv6 clients to get the same effect. This is not a hard problem. Stateful firewalls have no place in front of servers in the first place; owners of IPv6 server farms will need to ensure that their vendor supports stateless ACLs in hardware for IPv6 just like they do for IPv4.

IPv6 has better quality of service - that's standard in the header, not just recomandation as in v4.

IPv6 has better security - partially agree - in v4 ipsec is in userspace, in v6 in stack. Huge difference.

Overall I agree with Ivan. I specially like the last myth. The last myth to break remains ICMP role in networks - in general. That's hard to understand for some people, specially ones coming strictly from v4 world :)

It all depends on how it is presented or when that pitch was made (e.g. - QoS. Yes, today QoS is 99% identical between IPv4 and IPv6 (the other 1% has to due with a better chance of uniquely identifying the true SRC and DST, which is a Good Thing). However, moving forward, that Flow Label (not useful today) may make QoS much better ... while routing table bloat was semi-solved through Forced Aggregation, but now PI space has undone that (but 'solved' multi-homing, for now).)

Major bonus points for "Anyone who thinks NAT is a security feature deserves to become part of a botnet." :)

The author

Ivan Pepelnjak (CCIE#1354 Emeritus), Independent Network Architect at ipSpace.net, has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced internetworking technologies since 1990.